projects / certmaster.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Added setting of ciphersuite with only high and better SSLv3 certs. This should...
[certmaster.git] / certmaster / SSLCommon.py
diff --git a/certmaster/SSLCommon.py b/certmaster/SSLCommon.py
index 6959749..c3e76c2 100644 (file)
--- a/certmaster/SSLCommon.py
+++ b/certmaster/SSLCommon.py
@@ -29,13 +29,17 @@ def our_verify(connection, x509, errNum, errDepth, preverifyOK):
     return preverifyOK
 
 
-def CreateSSLContext(pkey, cert, ca_cert):
+def CreateSSLContext(pkey, cert, ca_cert, passwd_callback=None):
     for f in pkey, cert, ca_cert:
         if f and not os.access(f, os.R_OK):
             print "%s does not exist or is not readable." % f
             os._exit(1)
 
     ctx = SSL.Context(SSL.SSLv3_METHOD)   # SSLv3 only
+    if passwd_callback:
+        ctx.set_passwd_cb = passwd_callback
+
+    ctx.set_cipher_list('ALL:!aNULL:!ADH:!eNULL:!LOW:!MEDIUM:!EXP:RC4+RSA:+HIGH')
     ctx.use_certificate_file(cert)
     ctx.use_privatekey_file(pkey)
     ctx.load_client_ca(ca_cert)
@@ -118,4 +122,3 @@ class HTTPS(httplib.HTTP):
 
     def __init__(self, host='', port=None, ssl_context=None, strict=None, timeout=None):
         self._setup(self._connection_class(host, port, ssl_context, strict, timeout))
-
Fedora's certmaster (https://fedorahosted.org/certmaster/) with multiple CA support